--------
In message <20151206080054.GB27791@1wt.eu>, Willy Tarreau writes:
>> * TLS does not offer integrity. TLS MiTM can corrupt the messages inside
>> encrypted streams just as easily as thay can for un-encrypted traffic.
>
>Warning Amos, TLS does offer this when it's used reasonably.
There is no way to use it "reasonably" in practice.
The only tools most people have access to treats all
non-CA-protection-racket certificats like radioactive ebola virus.
>To make an analogy, some people used to install some smoke detectors at
>home and it used to save them. Some countries have made it mandatory to
>install such devices at home, so it created a new interesting market for
>unscrupulous vendors making cheap crap that beeps all the day without
>any reason, so users end up disabling them and they can't find working
>ones anymore since the market was replaced with 10 times cheaper devices.
That is a brilliant and on-point analogy!
--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.